VCLEVER BLOG

Posted on April 12, 2014 at 9:07 am by Andrew Arnott

The Heartbleed security vulnerability has been well-publicised, but advice on what to do varies wildly. We’ve been updating our clients and thought we’d publish our thoughts here.

What is it?

Firstly, if you haven’t heard about it (which would be quite an achievement), Heartbleed is the catchy but alarming-sounding name given to an error in the code of a bit of widely-used software called OpenSSL, which encrypts data on ‘secure’ websites. OpenSSL is used on maybe around two-thirds of secure sites on the web (so that’s two-thirds of sites that start with https:// and have the little padlock symbol displayed). The error allows an attacker to trick a website’s server into giving them a small random chunk of data from the server’s memory, which could be anything – something harmless, some sensitive data, a password, or an encryption key.

Some reports imply that hackers are just taking specific data at will, but they have to go through multiple attacks, getting little chunks of random data at a time and hoping they turn up something useful. It’s still not good, but it’s not the same. And the chances that you have been compromised are probably very slim.

What does that mean?

The vulnerability has been around for 2 years but was only discovered a few days ago. That means that the worst case scenario is that the bad guys could have been stealing things like passwords and possibly even encryption keys undetected for the last 2 years. And if any encryption keys were taken, that gives an attacker the ability to impersonate a website or decrypt sensitive data. It does, however, seem a little unlikely that this was happening before news of the vulnerability broke, as you’d have thought there’d have been some major fallout by now, especially as the bad guys wouldn’t have known when their window of opportunity would close.

More likely is that the bad guys have been rushing to exploit the vulnerability in the last few days since they’ve been told about it. Most big sites were pretty quick to apply patches which fixed the problem, but there was still a window of opportunity and some sites still haven’t applied the patch so are still vulnerable now.

This probably means that the greatest danger is that your password was revealed to someone with malicious intent by a site that was slow to fix the problem. Even if your information on that site isn’t particularly sensitive, if you’ve used that same password elsewhere for a site where your information is very sensitive (like a banking site), then you could be in trouble as the bad guys will be trying that password everywhere. That word ‘could’ is important though, as the chances of your password having been revealed are actually very slim.

Let’s put this in perspective. An attacker still has to get lucky (or you have to be unlucky) for your password to have been revealed to them. Perhaps you logged into a vulnerable site just before they did and that’s why your password was still in the memory buffer. So all this advice and everything you read in the press is about doing sensible things to mitigate the slim possibility of having been compromised. It’s not quite the Armageddon situation that some are making it out to be.

What people running vulnerable sites should have done

Simple. 1) Install the patch that fixes the vulnerability. 2) Reissue their security certificates. 3) Ask their users to change their passwords after they’ve done 1 and 2.

Obviously, the patch stops the vulnerability being exploited, but if we assume the worst (that a site’s encryption keys were stolen before the patch was applied) then the security certificate should be reissued so that the bad guys can’t impersonate the site or decrypt information.

What should you do?

Unfortunately the generic advice of ‘change all your passwords’ that some of the media are dishing out isn’t exactly helpful. Why? Because there’s no point changing your password if the problem hasn’t been fixed on that particular site – in fact, it might even make it more likely that your new password will get stolen, because 1) your new password is more likely to be in the bit of memory that’s vulnerable and 2) there are an awful lot of bad guys currently trying to exploit the vulnerability now that they know about it.

Only change your password for a particular site if:

1) The site was using the affected version of OpenSSL – many like Microsoft (Outlook.com, Office365, Bing etc), Apple, Linkedin, Amazon.com, Ebay, Paypal, Evernote and Hootsuite weren’t, so they aren’t affected;

2) they’ve actually applied a patch and ideally have also reissued their security certificate.

On point 1), you can see which sites are affected by looking at articles such as this one on Mashable and by using a tool which looks up if a site is vulnerable or has been patched (or from announcements by the sites themselves). This tool from Lastpass is handy: Lastpass Heartbleed site checker. In fact, if you use Lastpass, you can run a security check on all the passwords in your vault and it’ll tell you which ones need changing.

So, definitely change passwords for any sites that were vulnerable, that have already been patched, and have issued new security certificates – like Google (including Gmail, Apps and Youtube), Yahoo, Facebook, Tumblr and Dropbox).

Sit tight for sites that were vulnerable and haven’t yet applied a patch (and ideally don’t use them at all for now just in case). As we mentioned above, the point here is that it was unlikely that anyone was stealing people’s passwords/data before the vulnerability was revealed, but hackers are definitely trying it now, so logging into a vulnerable site to change your password is not a good idea. Wait till they’ve patched it, then do it.

The tricky in-between case is those sites that have applied the patch, but haven’t updated their security certificate yet. It’s probably fine to change your password, but it’s better to sit tight until they have reissued the certificate. The exception is that some of the big boys like Google and Twitter use something called ‘perfect forward secrecy’ which basically means that even if a key were compromised, it couldn’t be used to access future transmissions so their certificates are safe anyway. Again, the best thing to do is use this tool from Lastpass which will advise if you should change your password for a particular site.

Probably the most important point to come out of all of this

Don’t use the same password for different sites/services. It may seem like a good idea to choose a great password and use it for everything, but if a low security site gets breached, someone then has the key to all your sites. Don’t do it! The best thing you can do is use a password manager like lastpass.com to remember all your passwords (it will generate long, difficult random passwords and all you have to do is remember one really good password).

And obviously…

Although not related directly to this vulnerability, it’s also worth pointing out that you should use good passwords. The most important thing is not to use idiotically simple ones like a person’s name or your company’s name or ‘qwerty’ or ‘password123’! If you’re using them, they will get compromised (don’t think you’re too insignificant for anyone to try – there are so many automated bots floating around the web trying basic passwords, you would not believe!).

So use as long a password as you can and throw some capitals in and some numbers (and ideally some symbols too). If you use really short, poor passwords, it doesn’t matter if there are any security vulnerabilities, as you will inevitably get hacked at some point.

Again, we recommend Lastpass to generate and store complex passwords. It’ll even fill them in automatically for you. Incidentally, Lastpass was affected by Heartbleed, but they have multiple levels of security that act as fail-safes, which meant that the vulnerability effectively made little difference.

2-factor authentication

Lastly, we’d also recommend using 2-factor authentication where it’s available for sites with more sensitive data. Don’t know what that is? It simply means it requires more than one means of proving it’s you. For example, when enabled for Google Apps, you enter your password and Google will text a code to your phone which you’ll also need to enter. You don’t have to do this every time, just when you’re on a computer or phone that it doesn’t recognise. This adds another layer of protection, which is well worth having for sites where a security breach could be a disaster (like banking or email).

Good luck and more resources

Good luck out there! Hope this information proves useful to a few people. If you’re looking for more detail on this, we’ve listed a few articles that we found useful ourselves below.

• A good if slightly sensationalist overview of Heartbleed on CNET
• A very detailed technical analysis by the excellent Naked Security blog
• A tool by Lastpass for looking up what to do for specific sites
• Mashable’s list of sites where you should change your password